Hi all, I'm in the process of configuring Apple Pay for payments on an ecommerce site and I've come across the following documentation: Setting Up Your Server | Apple Developer Documentation It mentions the following in a yellow highlighted note Use a strict allow list for Apple IP addresses and domains provided in Listing 1. Do not allow your server to access any other IP addresses or domains. My first question is why does my server need to set a strict allowed list when the domain name apple-pay-gateway.apple.com is publicly accessible? My second question is that my web server is hosted on Vercel and I assume that there are no IP restrictions on any outbound requests. If there were restrictions where would I apply this whitelisting? Thanks for your help.

Hello, we are experiencing issues with adding VISA cards via In-App Provisioning on iOS using PassKit. The same flow works correctly with Mastercard, but for VISA cards the Apple broker endpoint returns HTTP 500. Details Device: iPhone15,3 (iPhone 15 Pro), iOS 18.6.1 (22G90) Region: CZ App: [REDACTED] (version 0.4.3) Issuer ID: [REDACTED] Merchant ID and entitlements are configured and validated. SEID: [REDACTED] Request flow GET /broker/v4/devices/{SEID}/issuerProvisioningCertificates?encryptionVersion=EV_ECC_v2 Request ID: B61363A8-0BFF-4CD6-92BC-52C461DFFAAD Response: 200 OK Conversation ID: e12c64c9a0b54981adfad8d00800d836 Returned nonce: [REDACTED] Timestamp: 2025.08.21_14-01-46+0200 POST /broker/v4/devices/{SEID}/cards Request ID: F29B73CA-CDDE-4C0C-9F40-B87AE006FDDD Payload fields present (values redacted): encryptedCardData [REDACTED], ephemeralPublicKey [REDACTED], publicKeyHash [REDACTED], nonce [REDACTED], issuerIdentifier [REDACTED], encryptionVersion=EV_ECC_v2 Response: 500 Internal Server Error (latency ~0.41s) Timestamp: 2025.08.21_14-01-47+0200 Observation Provisioning succeeds with Mastercard but consistently fails with VISA. The GET issuerProvisioningCertificates succeeds; the POST …/cards returns 500. Request Could you please: Provide internal error details for Request ID F29B73CA-CDDE-4C0C-9F40-B87AE006FDDD (and/or Conversation ID e12c64c9a0b54981adfad8d00800d836), Confirm whether the 500 originates before or after the broker’s call to VTS (Visa Token Service), and Validate that our app/merchant/issuer configuration is fully enabled for VISA push provisioning in our region. Attached privately: sysdiagnose with full traces (can share via secure channel upon request). Kind regards, Martin

Hi support, I'm getting the following error when I tried to re-verify my domain: Domain verification failed. Review your TLS Certificate configuration to confirm that the certificate is accessible and a supported TLS Cipher Suite is used. I have uploaded the required apple-developer-merchantid-domain-association.txt file and it is reachable from the Internet in the proper location https://www..com/.well-known/apple-developer-merchantid-domain-association.txt. The SSL certificate has been renewed and it offers at least one of required cipher suites based on the Apple document https://developer.apple.com/documentation/applepayontheweb/setting-up-your-server. The current verification will expire soon. Need your help urgently. Thanks, YaoF

Hi, I'm adding deferredPaymentRequest container to get MPan, but payment is now cancelled by Webkit, no other explanation What is the next step to get mpan ? Regards, Louis "deferredPaymentRequest": { "deferredBilling": { "label": "Deferred Payment", "amount": "1.99", "type": "final", "paymentTiming": "deferred", "deferredPaymentDate": "2024-06-1", }, "managementURL": 'https://.../apmsim/pay/appleManagement', "paymentDescription": "this is a paymentDescription", }

Hi there, I'm using php to create a qr code card for your apple wallet. Hereby I'm using this package: https://github.com/chiiya/laravel-passes Currently I got this far, that it creates a temporary directory filled with the needed files, including: icon.png, logo.png, manifest.json, pass.json and a signature file. After that temp directory gets created it creates a .pkpass file. Which will be downloaded to your system using an anchor tag button with controller method behind. For some reason on my iPhone I can only download it as file (the .pkpass file) and not as an actual wallet card. Any idea what is going wrong?

Hello, Please help. We have been experiencing what appears to be a TLS handshake error in our Apple Pay merchant validation requests (2-way TLS) since June 25, 2025. We are aware of the encryption algorithm changes made in February 2025, and our system was functioning correctly at that time. However, the error started occurring suddenly and only recently. Could you please clarify the following points? Have there been any changes to the TLS configuration (cipher suites, certificates, protocol versions, etc.) on the Apple Pay server side since June 2025? Have there been any updates to the specifications or recommended settings for merchant validation requests? Is there any way to contact Apple for technical support regarding this issue other than through the Developer Forums? Our Merchant Identity Certificate has already been renewed and is confirmed to be valid.

We request your support in enabling the extended entitlement feature for our team when creating provisioning profiles. This is because we need to include the ApplePay In-App Provisioning Development extended entitlement in our Bancoagricola app. Currently, when creating new provisioning profiles, the screen to configure Additional Entitlements is not displayed for our team. However, we have verified with our provider HST (https://hst.com.br/) that this screen does appear in their Apple account. Thank you very much for your support.

Hi - I have a question. I am trying to understand when Apple Pay will be available on non-IOS desktop devices (specifically Google Chrome). I was hoping to understand better the process, specifically the following: How can I get the Apple Pay QR code installed on my desktop checkout page on Google Chrome? How long does this process usually take? If I work with Stripe, do I need to get approval from them to install the Apple QR code onto my Google Chrome checkout page? Is this readily available to all merchants (i.e., installing Apple Pay on Google Chrome)/ I have not seen this on any other checkout pages yet. Are there any examples you could point me to of merchants that have installed Apple Pay onto non-IOS desktop so I could trial the process (i.e., a list of existing merchants that have put the QR code onto their Google Chrome checkout pages)?

all mastercard cards expired in 2024

Hi all, Recently Apple made Buy Now, Pay Later options available on devices running on iOS 18 or above. Is there a way to disable that option in the payment sheet? I tried looking through the PKPaymentNetwork enums, and didn't find anything that corresponded with Affirm or Klarna. Is there another way that I can disable it?

Hi there, I'm using a PHP library to generate a apple wallet card. In the end my code generates a .pkpass file, but for some reason iOS does not recognize it as a wallet object, instead just as a .pkpass file which in can save in my downloads/documents. Any idea?

When I click to my Apple Pay button, my function below doesn't trigger the completeMerchantValidation method as expected, but the oncancel method (which logs errorCode "unknown" in Safari developer tools) : const processApplePayment = async () => { if (window.ApplePaySession) { const session = new window.ApplePaySession(6, { countryCode: 'FR', currencyCode: 'EUR', merchantCapabilities: ['supports3DS'], supportedNetworks: ['visa', 'masterCard'], total: { label: `Bon d'achat ${partnerName}`, type: 'final', amount: cartTotalValue.toString() } }); session.onvalidatemerchant = async event => { try { const merchantSession = await validateMerchantSession(event.validationURL); console.log('merchant session : ', merchantSession); if (!merchantSession) { console.error('Invalid Apple Pay merchant session'); } session.completeMerchantValidation(merchantSession); } catch (error) { console.error('merchant validation error : ', error); session.abort(); } }; session.onpaymentauthorized = async event => { console.log('payment authorization event : ', event); try { const link = await authorizePayment( event.payment.token, userInfo, partnerId, order.id ); console.log('payment authorized link : ', link); window.location.href = link; } catch (error) { console.error('Apple Payment authoriation error : ', error); const errorUrl = `${PATH.EBON_ERROR_PATH}-${partnerId}?paiement=error&orderId=${order.id}`; window.location.href = errorUrl; } }; session.oncancel = event => console.log('Apple Pay cancel event : ', event); session.begin(); } }; The validateMerchantSession function successfully returns this payment session from Apple server : { "epochTimestamp":1739279973502, "expiresAt":1739283573502, "merchantSessionIdentifier":"SSH108C7ED6746A48E38EA8D253D33CCAA5_916523AAED1343F5BC5815E12BEE9250AFFDC1A17C46B0DE5A943F0F94927C24", "nonce":"150de193", "merchantIdentifier":"11CA4E31493E748848A91A0DAB1685A8417C41B62B9863EF59A618B91239471A", "domainName":"lesnumeriques-bonsdachat.htmal1.com", "displayName":"Les Numériques", "signature":"308006092a86...779cd643c000000000000", // long string "operationalAnalyticsIdentifier":"Les Numériques:11CA4E31493E748848A91A0DAB1685A8417C41B62B9863EF59A618B91239471A", "retries":0, "pspId":"11CA4E31493E748848A91A0DAB1685A8417C41B62B9863EF59A618B91239471A" } What could I do wrong and how could I fix it please ?

Body: Hello, We are currently implementing iOS order verification and have encountered an issue. Some of the receipts we verify return with an empty in_app array, which makes it impossible to determine whether there is a valid in-app purchase. Below is the code we’re using for verification and the result we receive: Code Example: public function iosVerifyReceipt($receipt, $password = '', $sandbox = false) { $url = $sandbox ? 'https://sandbox.itunes.apple.com/verifyReceipt' : 'https://buy.itunes.apple.com/verifyReceipt'; if (empty($password)) { $data = json_encode(['receipt-data' => $receipt]); } else { $data = json_encode(['receipt-data' => $receipt, 'password' => $password]); } $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); $result = curl_exec($ch); curl_close($ch); $result = json_decode($result, true); $result = $result ?? []; $result['sandbox'] = $sandbox; if ($result['status'] != 0) { Log::warning('ios verify receipt failed', ['receipt' => $receipt, 'result' => $result, 'sandbox' => $sandbox]); if ($result['status'] == 21007) { return $this->iosVerifyReceipt($receipt, $password, true); } } return $result; } // Order validation check if (empty($result) || $result['status'] != 0) { throw new BadRequestHttpException("Ios Order Verify Error"); } $appItemId = $result['receipt']['app_item_id'] ?? ""; if ($appItemId != MY_APP_ID) { throw new BadRequestHttpException("Ios Order Verify Error"); } $inApp = array_filter( $result['receipt']['in_app'] ?? [], function ($item) use ($transactionId,$order) { return $item['transaction_id'] == $transactionId && $item['product_id'] == $order->getProductId(); } ); if (empty($inApp)) { throw new BadRequestHttpException( "Ios Order Verify Error"); } Array ( [receipt] => Array ( [receipt_type] => Production [adam_id] => * [app_item_id] => * [bundle_id] => * [application_version] => 5511 [download_id] => * [version_external_identifier] => * [receipt_creation_date] => 2025-02-11 04:06:47 Etc/GMT [receipt_creation_date_ms] => * [receipt_creation_date_pst] => 2025-02-10 20:06:47 America/Los_Angeles [request_date] => 2025-02-11 15:54:56 Etc/GMT [request_date_ms] => * [request_date_pst] => 2025-02-11 07:54:56 America/Los_Angeles [original_purchase_date] => 2025-02-11 04:02:41 Etc/GMT [original_purchase_date_ms] => * [original_purchase_date_pst] => 2025-02-10 20:02:41 America/Los_Angeles [original_application_version] => * [preorder_date] => 2025-01-17 21:12:28 Etc/GMT [preorder_date_ms] => * [preorder_date_pst] => 2025-01-17 13:12:28 America/Los_Angeles [in_app] => Array ( ) ) [environment] => Production [status] => 0 [sandbox] => )

We’ve recently observed an escalating number of complaints from AlipayHK users regarding duplicate charges when completing transactions via Apple Pay. While no similar issues have been reported by users of other credit card providers integrated with Apple Pay, the problem appears isolated to AlipayHK transactions. Key Details: Multiple users confirm being charged twice for single transactions. Complaints are increasing in frequency, indicating a potential systemic issue. No overlapping reports from non-AlipayHK payment methods at this time. To safeguard customer trust and ensure seamless payment experiences, we kindly request Apple’s support in: Investigating whether the root cause stems from Apple Pay’s transaction handling. Collaborating with AlipayHK (if necessary) to resolve the issue promptly. Providing guidance on interim measures to prevent further duplicate charges. Could Apple confirm if this is a known issue and share a timeline for resolution? We’re eager to assist in any way possible to mitigate impact on users. Thank you for your urgent attention to this matter.

Hello, I have existing application that was created 2 years ago and we wanted to start developing wallet, but in order to do that I need to create new Identifiers with In-App Provisioning but unfortunately it is missing. Any idea on how to solve that?

We have a checkout page on which clients can configure the providers we've integrated with for each currency. One such provider is Stripe, with which we have already integrated ApplePay and host a merchant domain association file. Now, we're getting requests to support ApplePay with other providers. The issue is that we can't tell Apple to use a different path to domain association file for domain verification. And, replacing the existing domain association file seems like a hack, since I believe it's needed for domain re-verification. We're thinking of using subdomains for serving the domain association files for different providers. But, we have some questions on how ApplePay domain verification works to understand how we can solve our problem. Firstly, can we use subdomains for individual domain verification? If we already have example.com verified with Stripe, can we serve the domain association file for the other provider with provider.example.com and have the verification work? Secondly, let's say our domain is example.com, and we can use provider.example.com to serve the domain association file and verify the domain. Then on example.com/checkout, will using an iframe with provider.example.com/applepay to host the ApplePay button work? This thread suggests otherwise, but we want to confirm. Lastly, is the only way to make an ApplePay payment for provider.example.com to use that subdomain? So redirecting to provider.example.com/applepay would work? Thanks for your help!

We are trying to develop a coupon/offer code module where our app users can avail a free trail offer for 2 months period after applying the code. We already had a subscription module with monthly & yearly subscriptions with 7 day free trial period. Now, we want to implement a offer/coupon module, where, a user can either select monthly or yearly subscription, and upon entering the offer/coupon code, they will get 2 months free trial (or) a discount on the chosen subscription. (this will overwrite the existing 7 day free trial). We are confused on choosing the type of “offer/coupon” from AppStore connect. In App Store connect, we have introductory offers, promotional offer & Offer codes. Based on our requirements, we have done research and found that we cannot implement the offer code & promotional codes in the develop environment as there is no possibility to test in Sandbox environment. We observed that we need to push the app to App store and upon approval, we need to implement “offer/coupon” module. Can some one please suggest or guide us on choosing the best solution for our requirement? Thanks in advance.

Hello -- We're preparing to roll out Apple Pay on website in the next week but encountered some issues during testing. While we successfully processed transactions using a VISA card, we ran into errors when testing with other card brands. Has anyone come across this issue before?

I work on integrating online payment gateways. We are currently integrating Stripe and Adyen payment gateways. However, when integrating with Stripe, we use the certificate file provided by Stripe, and for Adyen, since there are not many payment transactions, we cannot create our own account, so we are using an account from a partner company. Therefore, we also have to use the Apple Pay certificate file from the partner company. In other words, the certificate files for Stripe and Adyen are different, but we want to get verification for the same domain. How can we set up to differentiate between Stripe and Adyen for the same domain with two different certificate files? The framework we are using is React.js for the frontend and Node.js for the backend.

Hello, We have seen the following URL from one of our users when using Apple Pay http://cn-apple-pay-gateway.apple.com/ It appears to be from the China region. Do we need to add this URL to our trusted domains? A little more context, the user is located in the United States and users from China should not be accessing our site. Does this mean the users device is set to China as a region?